The Digital Privacy Act (DPA), passed in June 2015, was an official announcement by the Canadian federal government that cyber-security had crossed over into crisis territory. The legislation was passed to counter the growing assault on the security and privacy of companies, and in a practical sense on the citizens whose data is “out there” on company servers. The Act requires companies to:

Notify individuals that, due to a breach, they are exposed to significant harm

The DPA gives the Privacy Commissioner the power to audit organizations and, if any are found to be non-compliant, to impose fines.

Rising to the challenge

Many Canadian companies have been devoting resources to assessing their security knowledge, technical capability, and readiness to meet the standards set out by the DPA, and to steer clear of the negative consequences of being deemed non-compliant. Unfortunately, not everyone has responded adequately to the rising threat.

“Many companies continue to rely on the security they have always had in place,” said Ajay Sood, Vice-President and GM of the Symantec Corporation. “What this means is that that they are not evolving. While they may retain a vigilant security posture, they are not doing everything they can to keep their risk of breach low. In this is the difference between vigilance and effectiveness, or, in the context of the DPA, security compliance in the mobile and cloud era.”

That the internet has always been a kind of Wild West, a place where bad actors with sufficient cunning and motivation can prosper is a given. But things are approaching boiling point:

Thirty-six per cent of Canadian organizations know that their data has been breached at least once over the past year (leaving aside those companies that were hacked but don’t know it).

Since 2014, cyber-attacks against small- and medium-sized businesses has risen by 44 per cent

The explosion of the Internet of Things, with its millions of connected devices, has gifted hackers with countless potential attack surfaces. In this new world, companies must, at bare minimum, get onside with regards to:

People: Many employees today work on the run. Mobility, hip and convenient as it may be, is a wide-open door for bad actors. Companies wishing to rise to this challenge must get a comprehensive view of their networks.

Processes: Some companies play it loose when it comes to their security processes, leaving much of it up to employees’ discretion. While most are sensible, it only takes one cowboy to open the pen. Companies that are serious about their security will work hard to put processes in place to protect their data, and to quick identify and recover from security breaches.

Technology: This area of vulnerability covers a wide range, from unpatched software to mislaid mobile devices. Companies without control of their technology are highly attractive targets for hackers.